cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

GRC AC 10 Provisioning Managers

Go to solution
Former Member

on ‎09-26-2013 8:53 PM

0 Kudos

Hi All

We are in process for implementing GRC AC 10 for one of our clients and are currently in functional phase of the project. We understand that managers would need to be assigned a role which provides them with the approver access. How can we automate the below process?

  • Create user IDs for managers
  • Assign them the approver role

Appreciate if you can share the best practices in automating the above mentioned process.

Let me know if you need additional details.

Note: We are planning to use LDAP as a the source of users/user details.

Thank you.

Anjan Pandey

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎09-27-2013 9:41 AM
0 Kudos

Hello Anjan

i dont think there is any best practice for your requirement as it depend how many approver you have .

If you have less number of approvers (manager ) best way would be to createt ham manually or use LSMW or ecatt script if you want to automate them .

with one of the client for us ,ABAPer also write a script to pull the manager id from LDAP and assign default GRC approver role ,

By the way how many managers you need to create in GRC

Hope it helps .

Show replies
Show replies
Former Member
‎09-27-2013 4:15 PM
0 Kudos

Hi Asheesh,

Thanks for your response. The count of managers would be approximately between 20000 - 30000. Considering the dynamic org changes in the organisation we are willing to automate the process of ID creation and role assignment. Creating a script is an option we were considering, just thinking loud if we have any other option.

Do you have any idea on the impacts on costs for creating so many IDs in GRC box if the customer has enterprise license.

We have also raised a message to SAP to suggest the solution.

Thanks.

Anjan Pandey

Former Member
‎09-30-2013 9:00 PM
0 Kudos

Hi All,

Do we have any other options available for the issue raised in the discussion. There are additional thoughts and questions.

  1. What are audit implications if we edit the code to disable authorization check when any approver is trying to approve, disapprove or any other action within a request?
  2. What is the licensing concerns with having more than 30000 IDs created in the GRC system?

Looking forward to your responses.

Thank you.

Anjan Pandey

Former Member
‎10-01-2013 8:16 AM
0 Kudos

Hello Anjan

I am sure for 1 point  , audit if able to caugh will raise concern , why you want to do so ,

for 2 nd oint ,GRC licensig is doesnot work standard way so better to check with license team at Customer side .

we also had enterprise license and never faced any issue with approver master data

Kind regards

Asheesh

Former Member
‎10-01-2013 2:25 PM
0 Kudos

Thanks Ashish. Option 1 was just a thought. I am sure we will have concerns even when we go for an upgrade. I will work with the organisation point of contact for the Licensing questions.

Thank you.

Anjan Pandey

Former Member
‎10-01-2013 5:16 PM
0 Kudos

Hi,

Do we have anyone from SAP who can provide their feedback to the queries raised by me.

Thank you.

Anjan Pandey

kevin_tucholke1
Contributor
‎10-02-2013 5:29 PM
0 Kudos

Anjan:

Have you thought about doing an LDAP Sync to your GRC Instance?  There you can sync the users into the SU01 as well as assign the necessary roles that you create.  This is native functionality for SAP NW ABAP.  Assuming that your LDAP has the correct managers entered, I would think that there would be a way to segregate out which user IDs you can sync in.  I am not a BASIS person, but have been at customers where the LDAP Sync is used for this load.

Thanks

Kevin Tucholke

Answers (4)

Answers (4)

former_member1293218
Explorer
‎10-04-2013 6:22 AM
0 Kudos

This message was moderated.

Show replies
Show replies
Arif1
Active Participant
‎09-28-2013 8:47 PM
0 Kudos

Hi,  Recently we have implemented GRC AC 10. we have collected all Manager/Approver list from HR and created all approver using ecat with approver role, email address and password.  ecat is the best solution and you can go this way.  Thanks, Arif

Show replies
Show replies
Former Member
‎09-30-2013 9:02 PM
0 Kudos

Hi Arif,

My concern is more towards getting the list of Managers in this big dynamic org setup.

Thank you.

Anjan Pandey

Former Member
‎09-27-2013 3:52 PM
0 Kudos

Anjan,

We are not yet live on GRC 10, so at this point this is just our plan, but we expect to utilize our IdM solution to identify who the managers are, based on their attributes coming in from HR. If you have direct reports (your PERNR is populated in a particular place in someone else's record), you are a thereby for this purpose a "manager," and it will create your ID and provision the necessary portal access and backend ABAP role. It is still under development, so we are keeping our fingers crossed that all the kinks will soon be worked out.

Gretchen

Show replies
Show replies
Former Member
‎09-27-2013 4:20 PM
0 Kudos

Thanks for your response. We are trying to understand if we have any standard solution from SAP to automate the provisioning. I am sure many implementations would have had this as a question. Particulalrly in large organisations, this step needs to be automated.

All the best for success of teh solution approach you have taken.

Thank you.

Anjan Pandey

Former Member
‎09-27-2013 5:01 AM
0 Kudos

Dear Anjan,

I did not get your exact requirement. Do you want that all the manager specific role gets added automatically as soon as you create a request for the manager? If this is your requirement, I would suggest you to use the concept of Template based request or model user request.

Please let me know if my understanding is correct or not?

Thanks & Regards

Japneet Singh

Show replies
Show replies
Former Member
‎09-27-2013 4:10 PM
0 Kudos

Hi Japneet,

Requirement is to automate the creation of managers ID and assignment of default roles  in GRC AC 10.  Considering the volume, we donot intend to have them create a request to get access in GRC box.

Thank you.

Anjan Pandey

Ask a Question